AWS Glue 5.0: Fixing Redshift AccessDeniedException Connecting to AWS

Select Language:

If you see the message “AccessDeniedException when creating service linked secrets, insufficient privilege” when trying to set up a Redshift connection in AWS Glue 5.0, it usually means there are permission problems with AWS Secrets Manager.

To fix this, start by making sure your IAM role for AWS Glue has the correct permissions. Specifically, it should have access to the secret through the “secretsmanager:GetSecretValue” permission. Without this, Glue can’t retrieve the credentials stored in Secrets Manager, leading to that error message.

Next, check your network setup. For Redshift connections, especially with the latest Version 2, you need to set up certain VPC endpoints with private DNS enabled. These include:

AWS Secrets Manager (interface type)
Security Token Service (STS) (interface type)
AWS KMS (interface type)
Amazon S3 (gateway type)
Amazon Redshift (interface type)

Make sure these endpoints are in place to allow traffic to flow between AWS Glue and these services.

Another important aspect is trust relationships. Your IAM role should be configured to allow AWS Glue to assume it. You might need to add Redshift as one of the trusted principals in the role’s trust relationship.

Also, check your security groups and network Access Control Lists (ACLs). They should permit the necessary communication between Glue, Redshift, Secrets Manager, and related services.

Lastly, ensure your virtual private cloud (VPC) connectivity is correct. The error indicates that Glue might not be able to connect to Secrets Manager to create or access the secrets needed for Redshift.

If you’ve gone through all these steps and still face issues, a workaround is to try creating the connection manually using AWS CLI. You can use a custom connector for Redshift with the JDBC URL as a temporary solution.

For more detailed help, you can explore related resources: